Redirecting responses
-
I was perusing through some code for a web based project management tool we use (written in PHP) and came across a call to 'ResponseRedirect', naturally I wanted to take a peak what could possibly be contained in it that makes it so special. Needless to say I wasn't impressed.
function ResponseRedirect($location)
{
header('Location: ' . $location);
}
-
"I am afeared of change and have a hard time adjusting to PHP so instead of learning, I'm going to force upon the language the methods that I'm already used to."
-
The only thing I see wrong with that is it lacks an exit (); or die (); after header (); as 1: header is acted on by the browser, not the program and 2: if headers are already sent it wont work and will effectively ignore that command which is especially dangerous if you use header for security/login redirects.
In fact someone using the above function would be able to fix my stated bug in a few seconds, while someone that has hardcoded header (); everywhere will have a much tougher time.
-
@Meep3d said:
The only thing I see wrong with that is it lacks an exit (); or die (); after header (); as 1: header is acted on by the browser, not the program and 2: if headers are already sent it wont work and will effectively ignore that command which is especially dangerous if you use header for security/login redirects.
In fact someone using the above function would be able to fix my stated bug in a few seconds, while someone that has hardcoded header (); everywhere will have a much tougher time.
Agreed. Personally, I wouldn't use redirects in this way at all because you end up with goto-like spaghetti. For smaller projects it should be fine, though, except for the missing exit.
-
I've done something like that myself so that if I ever should have time to fix the HTTP header injection vulnerability, that
header('Location: ' . $location);exposes, i can just fix it in this one place.
